death to passwords
DESCRIPTION
This presentation was being held at Droidcon DE 2014. It covers the main issues with passwords in mobile and web applications and which alternative technolgoies can help resolving them.TRANSCRIPT
DEATH TO PASSWORDS LONG LIVE SECURITY Tim Messerschmidt / @SeraAndroiD Droidcon Berlin ‘14
DO YOU BELIEVE IN SECURITY?
DO YOU BELIEVE IN SECURITY?
A STORY ABOUT PASSWORDS WIKI.SCULLSECURITY.ORG/PASSWORDS
4.7% OF USERS USE THE PASSWORD PASSWORD
8.5% ARE USING PASSWORD OR 123456
9.8% USE PASSWORD 123456 OR 12345678
... And it doesn’t even stop here
14% have a password from the top 10 passwords
40% have a password from the top 100 passwords
79% have a password from the top 500 passwords
91% have a password from the top 1000 passwords
2013 CBSNEWS.COM/NEWS/THE-25-MOST-COMMON-PASSWORDS-OF-2013/
1. 123456 up 1 2. Password down 1
3. 12345678
4. Qwerty up 1
5. Abc123 down 1
6. 123456789 New
7. 111111 up 2
8. 1234567 up 5
9. Iloveyou up 2
10. Adobe123 new
11. 123123 up 5 12. Admin new
13. 1234567890 new
14. Letmein down 7
15. Photoshop new
16. 1234 new
17. Monkey down 11
18. Shadow
19. Sunshine down 5
20. 12345 new
My learnings from this trend
- People HATE monkeys
- People are more depressed
- Adobe is very popular
3 Password Problems - Reused
- Phished
- Keylogged
abstrusegoose.com/296
abstrusegoose.com/262
xkcd.com/936
Favor security too much over the experience and you’ll make the website a pain to use.
Basic Authentication username:password
Storing Passwords SQLCipher & KeyChain
SO WHAT?
People forget passwords…
45% admit to leaving a website instead of re-setting their password or answering security questions * * Blue Inc. 2011
Also they hate to register
Out of 657 surveyed users 66% think that social sign-in is a desirable alternative. * * Blue Inc. 2011
heartbleed.com
heartbleed.agilebits.com
SO WHAT CAN WE DO INSTEAD?
PASSWORDLESS AUTHENTICATION MEDIUM.COM/CYBER-SECURITY/9ED56D483EB
TWO FACTOR AUTH TWOFACTORAUTH.ORG
Authentication vs. Authorization
OAUTH 1.0
Request Request Token
Grant Request Token
Direct User to Service Obtain AuthorizaEon
Direct to Consumer Request Access Token
Grant Access Token
Access Resources
Consumer Service Provider
OAUTH 1.0A
Android: Signpost <3 github.com/mttkay/signpost
OAUTH 2.0
Direct User to Service Obtain AuthorizaEon
Request Access Token
Grant Access Token
Direct to Consumer Access Resources / Profile
Consumer Service Provider
URL url = new URL(”http://url.com/”);!HttpURLConnection urlConnection =!
!(HttpURLConnection) url.openConnection();!!!setRequestProperty(”Authorization”, ”Bearer …”);!
HTTP Header
“url.com/oauth?access_token=…”!
URI parameter
Android
Scribe github.com/fernandezpablo85/scribe
PostmanLib github.com/fedepaol/PostmanLib--Rings-Twice--Android
OAuth 2.0 and the Road to Hell hueniverse.com/2012/07/oauth-2-0-and-the-road-to-hell
Identity Techniques - OpenID
- OpenID Connect
- Persona
Identity Providers Social vs. Concrete
Do we always use the same identity?
Should we always use the same identity?
Name
Date of Birth
Locale
Time Zone
Address
Gender
Language
Phone Number
Creation Date
What’s Next? Bluetooth Smart and Co.
Security matters to users and developers
Difference authentication and authorization
User Experience should be enhanced not impaired
BATTLEHACK ’14 BERLIN: JUNE 21ST & 22ND WARSAW: JULY 12TH & 13TH LONDON: OCTOBER 11TH & 12TH MOSCOW: OCTOBER 25TH & 26TH
BATTLEHACK.ORG
Questions? [email protected] @SeraAndroid slideshare.com/paypal